Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit, occasional popup online, svchost takes up 100% cpu


  • This topic is locked This topic is locked
10 replies to this topic

#1 ghen

ghen

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 29 July 2011 - 08:46 AM

I am usually OK at cleaning family computers but when I got infected myself I'm unable to clean it. Symptoms include the occasional popup in firefox for advertisments as well as a single svchost taking up 80-100% CPU starting 3-5 minutes after the computer boots fully. If I kill that svchost my computer loses a bit of functionality but the problem goes away until I reboot.

edit: Also, hibernate doesn't work. The computer tries to come back but hangs during the process.

I have tried MBAM updated as of 7/27 and combofix updated as of 7/28. Combofix froze a few times during operation which isn't normal but the third time it finished successfully. This computer did have a rogue anti-virus that was cleaned during this process, but the rootkit was not cleaned.

I will NOT try any more cleaning on this computer, instead I will do only what is told of me on the forum. I'm a good listener. :)


.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_25
Run by jcopeland at 8:35:49 on 2011-07-29
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.749 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spark\Spark.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
svchost.exe
svchost.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
C:\Program Files\Motorola\MotoHelper\MotoHelperAgent.exe
C:\Program Files\smartagent\bin\tgsrvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\TeamViewer\Version6\TeamViewer.exe
C:\Program Files\TeamViewer\Version6\tv_w32.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Mozilla Firefoxxx\firefox.exe
C:\Documents and Settings\smiller\Desktop\procexp.exe
C:\Program Files\Mozilla Firefoxxx\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = https://portal.dealersuite.com/josso/signon/login.do?josso_back_to=/members/index.jsp
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=smb&pf=laptop
uInternet Settings,ProxyOverride = <local>;192.168.*.*
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Spark] c:\program files\spark\Spark.exe
mRun: [UltraMon] "c:\program files\ultramon\UltraMon.exe" /auto
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\docume~1\smiller\startm~1\programs\startup\dualmo~1.lnk - c:\documents and settings\smiller\application data\realtime soft\ultramon\profiles\dual monitor, master left.umprofile
uPolicies-explorer: NoSMHelp = 01000000
mPolicies-system: EnableLinkedConnections = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: adp.com\*.ds
Trusted Zone: adpremotesupport.com
Trusted Zone: autopartners.net\www
Trusted Zone: cobaltgroup.com\toolsw3.prod
Trusted Zone: dealersuite.com\portal
Trusted Zone: gmglobalconnect.com\www
Trusted Zone: vinmanager.com\apps
DPF: CM_AdvancedCAB - hxxps://www.gs.reyrey.com/common/ClientCheck/CM_AdvancedCAB.CAB
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
DPF: {00906302-0F14-442C-B39C-275F61BC25BC} - hxxp://192.110.112.1/apps/autoTools/sda/common/atSdaCfg.CAB
DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - hxxp://dsra1he.ds.adp.com/sdccommon/download/tgctlsi.cab
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://dsra1he.ds.adp.com/sdccommon/download/tgctlcm.cab
DPF: {01118F00-3E00-11D2-8470-0060089874ED} - hxxp://dsra1he.ds.adp.com/sdccommon/download/ssrc.cab
DPF: {01119400-3E00-11D2-8470-0060089874ED} - hxxp://dsra1he.ds.adp.com/sdccommon/download/sprtctlln.cab
DPF: {037790A6-1576-11D6-903D-00105AABADD3} - hxxp://192.110.112.1/apps/bluezone/controls/sglw2hcm.ocx
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {0D221D00-A6ED-477C-8A91-41F3B660A832} - hxxps://apps.vinmanager.com/CarDashboard/Reserved.ReportViewerWebControl.axd?Mode=true&ReportID=e6f94e5ef5da422b91d4970147f33135&ControlID=9b8b88523d0949a5b272d0f223cf4155&Culture=1033&UICulture=1033&ReportStack=1&OpType=PrintCab
DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} - hxxp://apps.vinmanager.com/CarDashboard/scriptx/smsx6_3.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {2DAD3559-2923-4935-AD49-B673D2539944} - hxxps://www-307.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} - hxxp://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
DPF: {4E8AEBE0-31A6-43B0-A429-748DB14A70A0} - hxxp://192.110.112.1/apps/common/includes/PC-CONFIG-CHECK.CAB
DPF: {6464CEE5-3D4A-483B-A816-9287286C77DB} - hxxp://192.110.112.1/apps/common/includes/NETX.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} - hxxps://www.ecarlist.com/ImageUploader3.cab
DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} - file://porterserv01/VPHOME/CLT-INST/WEBINST/webinst.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.110.112.95 192.224.49.125
TCP: Interfaces\{3E1CA526-FADD-48B6-952D-DA2ED7F297FD} : NameServer = 4.2.2.2
TCP: Interfaces\{3E1CA526-FADD-48B6-952D-DA2ED7F297FD} : DhcpNameServer = 192.110.112.95 192.224.49.125
TCP: Interfaces\{51E58E3D-58D5-4833-B9DD-08322C3F6447} : NameServer = 8.8.8.8
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
Notify: ter1mw32 - ter1mw32.dll
Notify: termsvces - ter1mw32.dll
AppInit_DLLs: c:\windows\system32\acaptuser32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
IFEO: taskmgr.exe - "c:\documents and settings\smiller\desktop\PROCEXP.EXE"
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\smiller\application data\mozilla\firefox\profiles\jqwt63vr.default\
FF - plugin: c:\documents and settings\smiller\application data\mozilla\plugins\npatgpc.dll
FF - plugin: c:\documents and settings\smiller\local settings\application data\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\documents and settings\smiller\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165648]
R1 MpKsl482a02fb;MpKsl482a02fb;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e9ca6b69-b408-4a09-9a07-99cbc0f3b0d6}\MpKsl482a02fb.sys [2011-7-29 28752]
R2 io.sys;IO.DLL Driver;c:\windows\system32\drivers\io.sys [2008-9-23 5152]
R2 MotoHelper;MotoHelper Service;c:\program files\motorola\motohelper\MotoHelperService.exe [2010-12-2 218432]
R2 TeamViewer6;TeamViewer 6;c:\program files\teamviewer\version6\TeamViewer_Service.exe [2010-12-7 2228008]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\common files\realtime soft\ultramonmirrordrv\x32\UltraMonUtility.sys [2006-9-24 11776]
R3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\UltraMonMirror.sys [2006-9-24 3584]
S1 MpKsl5b737f77;MpKsl5b737f77;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ee10864b-6fa8-4a45-8ed0-b655ca27082c}\mpksl5b737f77.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ee10864b-6fa8-4a45-8ed0-b655ca27082c}\MpKsl5b737f77.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\drivers\motfilt.sys --> c:\windows\system32\drivers\motfilt.sys [?]
S3 GenericMount;Generic Mount Driver;c:\windows\system32\drivers\genericmount.sys --> c:\windows\system32\drivers\GenericMount.sys [?]
S3 motandroidusb;Mot ADB Interface Driver;c:\windows\system32\drivers\motoandroid.sys [2011-5-4 25856]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys --> c:\windows\system32\drivers\motccgp.sys [?]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys --> c:\windows\system32\drivers\motccgpfl.sys [?]
S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\drivers\motousbnet.sys --> c:\windows\system32\drivers\Motousbnet.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 TeamViewer5;TeamViewer 5;c:\program files\teamviewer\version5\TeamViewer_Service.exe [2010-1-12 185640]
S4 vsdatant;vsdatant;a --> a [?]
UnknownUnknown fjenjrob;fjenjrob; [x]
.
=============== File Associations ===============
.
exefile="c:\documents and settings\networkservice\local settings\application data\dsh.exe" -a "%1" %*
.
=============== Created Last 30 ================
.
2011-07-29 12:12:48 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e9ca6b69-b408-4a09-9a07-99cbc0f3b0d6}\MpKsl482a02fb.sys
2011-07-29 12:09:54 6881616 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e9ca6b69-b408-4a09-9a07-99cbc0f3b0d6}\mpengine.dll
2011-07-28 14:02:05 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2011-07-28 14:02:01 23040 ----a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2011-07-28 14:02:00 18944 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll
2011-07-28 14:01:56 27648 ----a-w- c:\windows\system32\dllcache\xrxftplt.exe
2011-07-28 14:01:53 4608 ----a-w- c:\windows\system32\dllcache\xrxflnch.exe
2011-07-28 14:01:38 99865 ----a-w- c:\windows\system32\dllcache\xlog.exe
2011-07-28 14:01:34 16970 ----a-w- c:\windows\system32\dllcache\xem336n5.sys
2011-07-28 14:01:33 19455 ----a-w- c:\windows\system32\dllcache\wvchntxx.sys
2011-07-28 14:01:30 19200 ----a-w- c:\windows\system32\dllcache\wstcodec.sys
2011-07-28 14:01:29 12063 ----a-w- c:\windows\system32\dllcache\wsiintxx.sys
2011-07-28 14:01:13 154624 ----a-w- c:\windows\system32\dllcache\wlluc48.sys
2011-07-28 14:01:09 34890 ----a-w- c:\windows\system32\dllcache\wlandrv2.sys
2011-07-28 14:01:01 771581 ----a-w- c:\windows\system32\dllcache\winacisa.sys
2011-07-28 13:59:57 53760 ----a-w- c:\windows\system32\dllcache\vfwwdm32.dll
2011-07-28 13:58:59 50688 ----a-w- c:\windows\system32\dllcache\umaxscan.dll
2011-07-28 13:57:58 42496 ----a-w- c:\windows\system32\dllcache\tp4res.dll
2011-07-28 13:56:57 172768 ----a-w- c:\windows\system32\dllcache\t2r4disp.dll
2011-07-28 13:55:56 48736 ----a-w- c:\windows\system32\dllcache\srwlnd5.sys
2011-07-28 13:54:56 24576 ----a-w- c:\windows\system32\dllcache\smc8000n.sys
2011-07-28 13:53:58 101760 ----a-w- c:\windows\system32\dllcache\sis300ip.sys
2011-07-28 13:52:59 43904 ----a-w- c:\windows\system32\dllcache\sbp2port.sys
2011-07-28 13:51:57 30720 ----a-w- c:\windows\system32\dllcache\rthwcls.sys
2011-07-28 13:50:57 40320 ----a-w- c:\windows\system32\dllcache\ql1080.sys
2011-07-28 13:49:58 259328 ----a-w- c:\windows\system32\dllcache\perm3dd.dll
2011-07-28 13:48:57 28032 ----a-w- c:\windows\system32\dllcache\ovcd.sys
2011-07-28 13:47:58 132695 ----a-w- c:\windows\system32\dllcache\netwlan5.sys
2011-07-28 13:46:58 103296 ----a-w- c:\windows\system32\dllcache\mtxvideo.sys
2011-07-28 13:46:49 5504 ----a-w- c:\windows\system32\dllcache\mstee.sys
2011-07-28 13:46:48 49024 ----a-w- c:\windows\system32\dllcache\mstape.sys
2011-07-28 13:46:43 12416 ----a-w- c:\windows\system32\dllcache\msriffwv.sys
2011-07-28 13:46:37 2944 ----a-w- c:\windows\system32\dllcache\msmpu401.sys
2011-07-28 13:46:36 22016 ----a-w- c:\windows\system32\dllcache\msircomm.sys
2011-07-28 13:46:28 35200 ----a-w- c:\windows\system32\dllcache\msgame.sys
2011-07-28 13:46:25 6016 ----a-w- c:\windows\system32\dllcache\msfsio.sys
2011-07-28 13:46:24 51200 ----a-w- c:\windows\system32\dllcache\msdv.sys
2011-07-28 13:46:16 17280 ----a-w- c:\windows\system32\dllcache\mraid35x.sys
2011-07-28 13:46:08 15232 ----a-w- c:\windows\system32\dllcache\mpe.sys
2011-07-28 13:46:03 16128 ----a-w- c:\windows\system32\dllcache\modemcsa.sys
2011-07-28 13:44:57 20573 ----a-w- c:\windows\system32\dllcache\lne100.sys
2011-07-28 13:43:56 6656 ----a-w- c:\windows\system32\dllcache\iissync.exe
2011-07-28 13:42:52 488383 ----a-w- c:\windows\system32\dllcache\hsf_v124.sys
2011-07-28 13:41:59 31232 ----a-w- c:\windows\system32\dllcache\hpgt42tk.dll
2011-07-28 13:40:59 92160 ----a-w- c:\windows\system32\dllcache\fuusd.dll
2011-07-28 13:39:59 594238 ----a-w- c:\windows\system32\dllcache\es56hpi.sys
2011-07-28 13:38:56 334208 ----a-w- c:\windows\system32\dllcache\ds1wdm.sys
2011-07-28 13:37:59 7424 ----a-w- c:\windows\system32\dllcache\ddsmc.sys
2011-07-28 13:36:59 111232 ----a-w- c:\windows\system32\dllcache\cl5465.dll
2011-07-28 13:35:59 3968 ----a-w- c:\windows\system32\dllcache\brfiltup.sys
2011-07-28 13:34:59 61440 ----a-w- c:\windows\system32\dllcache\acerscad.dll
2011-07-28 13:33:47 7680 ----a-w- c:\windows\system32\dllcache\inetmgr.exe
2011-07-28 13:33:47 19968 ----a-w- c:\windows\system32\dllcache\inetsloc.dll
2011-07-28 13:33:46 169984 ----a-w- c:\windows\system32\dllcache\iisui.dll
2011-07-28 13:33:45 5632 ----a-w- c:\windows\system32\dllcache\iisrstap.dll
2011-07-28 13:33:44 6144 ----a-w- c:\windows\system32\dllcache\ftpsapi2.dll
2011-07-28 13:33:44 14336 ----a-w- c:\windows\system32\dllcache\iisreset.exe
2011-07-27 20:46:39 -------- d-----w- c:\program files\Mozilla Firefoxxx
2011-07-27 20:17:40 -------- d-----w- c:\documents and settings\smiller\local settings\application data\Conduit
2011-07-27 19:20:20 -------- d-sha-r- C:\cmdcons
2011-07-27 19:07:00 98816 ----a-w- c:\windows\sed.exe
2011-07-27 19:07:00 518144 ----a-w- c:\windows\SWREG.exe
2011-07-27 19:07:00 256000 ----a-w- c:\windows\PEV.exe
2011-07-27 19:07:00 208896 ----a-w- c:\windows\MBR.exe
2011-07-27 18:33:03 -------- d-----w- c:\windows\system32\%APPDATA%
2011-07-27 18:32:00 -------- d-----w- c:\program files\Shop to Win 3
2011-07-27 18:31:38 35840 ----a-w- c:\windows\system32\ter1mw32.dll
2011-07-27 13:18:04 -------- d-----w- C:\BOOT
2011-07-27 13:17:50 187528 ----a-w- c:\windows\system32\drivers\eudisk.sys
2011-07-27 13:17:49 30600 ----a-w- c:\windows\system32\drivers\eubakup.sys
2011-07-27 13:17:49 20744 ----a-w- c:\windows\system32\drivers\eufs.sys
2011-07-27 13:17:49 14216 ----a-w- c:\windows\system32\drivers\eudskacs.sys
2011-07-27 13:17:48 35720 ----a-w- c:\windows\system32\drivers\EUBKMON.sys
2011-07-27 13:07:22 -------- d-----w- c:\program files\EASEUS
2011-07-26 17:55:54 752128 ----a-w- c:\windows\system32\drivers\tdrpm273.sys
2011-07-26 17:55:49 600928 ----a-w- c:\windows\system32\drivers\timntr.sys
2011-07-26 17:17:21 -------- d-----w- c:\program files\Runtime Software
2011-07-01 14:52:47 7074640 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\updates\mpengine.dll
2011-07-01 14:50:46 -------- d-----w- c:\program files\VideoLAN
.
==================== Find3M ====================
.
2011-07-06 23:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-21 15:02:48 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-03 17:55:33 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-06-03 17:55:32 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
.
============= FINISH: 8:39:58.12 ===============

Attached Files


Edited by ghen, 29 July 2011 - 03:12 PM.


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:03 PM

Posted 30 July 2011 - 03:28 PM

Please post the ComboFix Log(s), also run the following:

Download FixTDSS and save it to your desktop.

Double click on the FixTDSS.exe icon to run it.

Click the "I Accept" button, then the "Proceed" button to begin

The tool will restart your computer automatically - click OK to allow it to do so

The tool will begin it's scan on reboot > click "run" to begin

It will report if an infected MBR is found > click the "repair" button

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 ghen

ghen
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 01 August 2011 - 07:04 AM

Combofix from 7/27, my original date was wrong, this is the only run. After this I didn't run it again

I haven't acted on anything in the combofix log. I also have not uninstalled combofix.
-----------------

Fix TDSS results:
It found an infected MBR. I hit repair. It stated the repair succeeded.

Microsoft Security Essentials now states that it is turned off. I hit Turn On. It was unable to do so. (error 0x800705b4)
-----------------

ComboFix 11-07-27.02 - jcopeland 07/27/2011 15:28:24.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1450 [GMT -4:00]
Running from: c:\documents and settings\smiller\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\NetworkService\Local Settings\Application Data\dsh.exe
c:\documents and settings\smiller\Application Data\ABSe
c:\documents and settings\smiller\Application Data\ABSe\jJobs.INI
c:\documents and settings\smiller\g2mdlhlpx.exe
c:\documents and settings\smiller\GoToAssistDownloadHelper.exe
c:\documents and settings\smiller\Recent\Thumbs.db
C:\Install.exe
c:\windows\Downloaded Program Files\webinst.dll
c:\windows\IMAGE.EXE.LOG
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\Ijl11.dll
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-06-27 to 2011-07-27 )))))))))))))))))))))))))))))))
.
.
2011-07-27 18:52 . 2011-07-27 18:52 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5A182C1E-9FED-4650-8F28-863928902365}\MpKsl6138f141.sys
2011-07-27 18:33 . 2011-07-27 18:33 -------- d-----w- c:\windows\system32\%APPDATA%
2011-07-27 18:32 . 2011-07-27 18:32 -------- d-----w- c:\program files\Conduit
2011-07-27 18:32 . 2011-07-27 18:32 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\WhiteSmoke_Bar
2011-07-27 18:32 . 2011-07-27 18:32 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Conduit
2011-07-27 18:32 . 2011-07-27 18:32 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2011-07-27 18:32 . 2011-07-27 18:32 -------- d-----w- c:\program files\WhiteSmoke_Bar
2011-07-27 18:32 . 2011-07-27 18:32 -------- d-----w- c:\program files\Shop to Win 3
2011-07-27 18:31 . 2011-07-27 18:31 -------- d-----w- c:\program files\Shop To Win
2011-07-27 18:31 . 2011-07-27 18:31 -------- d-----w- c:\program files\FinderQuery Addon
2011-07-27 18:31 . 2011-07-27 18:31 -------- d-----w- c:\program files\IspAssistant Addon
2011-07-27 18:31 . 2011-07-27 18:31 218624 ----a-w- c:\windows\system32\termlw32.dll
2011-07-27 18:31 . 2011-07-27 18:31 35840 ----a-w- c:\windows\system32\ter1mw32.dll
2011-07-27 16:09 . 2011-07-27 16:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-07-27 15:32 . 2011-07-27 15:32 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5A182C1E-9FED-4650-8F28-863928902365}\MpKsld9b1b146.sys
2011-07-27 14:30 . 2011-07-27 14:30 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-07-27 13:18 . 2011-07-27 19:04 -------- d-----w- C:\BOOT
2011-07-27 13:17 . 2011-04-22 22:26 187528 ----a-w- c:\windows\system32\drivers\eudisk.sys
2011-07-27 13:17 . 2011-04-22 22:26 20744 ----a-w- c:\windows\system32\drivers\eufs.sys
2011-07-27 13:17 . 2011-04-22 22:26 14216 ----a-w- c:\windows\system32\drivers\eudskacs.sys
2011-07-27 13:17 . 2011-04-22 22:26 30600 ----a-w- c:\windows\system32\drivers\eubakup.sys
2011-07-27 13:17 . 2011-04-22 22:26 35720 ----a-w- c:\windows\system32\drivers\EUBKMON.sys
2011-07-27 13:07 . 2011-07-27 13:17 -------- d-----w- c:\program files\EASEUS
2011-07-27 12:19 . 2009-10-02 02:03 131000 ----a-w- c:\windows\system32\drivers\WimFltr.sys
2011-07-27 12:18 . 2009-09-22 00:20 138592 ----a-w- c:\windows\system32\drivers\symsnap.sys
2011-07-27 12:18 . 2009-09-22 00:40 15096 ----a-w- c:\windows\system32\drivers\vproeventmonitor.sys
2011-07-27 12:17 . 2009-05-18 18:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2011-07-27 12:17 . 2008-04-17 17:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2011-07-27 12:16 . 2011-07-27 12:17 -------- d-----w- c:\program files\Norton Ghost
2011-07-26 17:56 . 2011-07-26 17:56 163232 ----a-w- c:\windows\system32\drivers\afcdp.sys
2011-07-26 17:55 . 2011-07-26 17:55 752128 ----a-w- c:\windows\system32\drivers\tdrpm273.sys
2011-07-26 17:55 . 2011-07-26 17:55 600928 ----a-w- c:\windows\system32\drivers\timntr.sys
2011-07-26 17:55 . 2011-07-26 17:55 170464 ----a-w- c:\windows\system32\drivers\snapman.sys
2011-07-26 17:54 . 2011-07-26 17:54 -------- d-----w- c:\program files\Acronis
2011-07-26 17:54 . 2011-07-26 17:56 -------- d-----w- c:\program files\Common Files\Acronis
2011-07-26 17:17 . 2011-07-26 17:45 -------- d-----w- c:\program files\Runtime Software
2011-07-26 15:40 . 2011-07-13 03:39 6881616 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5A182C1E-9FED-4650-8F28-863928902365}\mpengine.dll
2011-07-14 20:09 . 2011-07-14 20:11 -------- d-----w- c:\documents and settings\smiller\Application Data\vlc
2011-07-01 14:52 . 2011-06-07 15:55 7074640 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Updates\mpengine.dll
2011-07-01 14:50 . 2011-07-01 14:50 -------- d-----w- c:\program files\VideoLAN
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-13 03:39 . 2010-04-14 12:27 6881616 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-07-06 23:52 . 2008-11-14 16:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-06 23:52 . 2008-11-14 16:20 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-21 15:02 . 2011-06-06 12:43 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-03 17:55 . 2011-06-03 17:55 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-06-03 17:55 . 2011-06-03 17:55 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-06-02 14:02 . 2004-08-04 08:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-02 15:31 . 2004-08-04 08:00 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2004-08-04 08:00 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2004-08-04 08:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-22 15:50 . 2011-02-22 15:50 289592 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{167d9323-f7cc-48f5-948a-6f012831a69f}]
2011-05-09 09:49 176936 ----a-w- c:\program files\WhiteSmoke_Bar\prxtbWhit.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9F56A04A-4886-48F7-B8B2-376F30FC27DF}]
2010-12-29 18:20 14432 ----a-w- c:\program files\Shop to Win 3\Shop to Win 3.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6DA1E850-9F71-4B3C-81A4-D9EEEF6FCD50}"= "c:\program files\IspAssistant Addon\ispassistant.dll" [2011-04-19 124928]
"{ADC66251-6410-4a15-9499-7D73C6994B25}"= "c:\program files\FinderQuery Addon\finderquery.dll" [2011-07-10 164864]
"{167d9323-f7cc-48f5-948a-6f012831a69f}"= "c:\program files\WhiteSmoke_Bar\prxtbWhit.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{6da1e850-9f71-4b3c-81a4-d9eeef6fcd50}]
.
[HKEY_CLASSES_ROOT\clsid\{adc66251-6410-4a15-9499-7d73c6994b25}]
.
[HKEY_CLASSES_ROOT\clsid\{167d9323-f7cc-48f5-948a-6f012831a69f}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
2010-01-04 16:36 2848568 ----a-w- c:\program files\MozyHome\mozyshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
2010-01-04 16:36 2848568 ----a-w- c:\program files\MozyHome\mozyshell.dll
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 01000000
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ter1mw32]
2011-07-27 18:31 35840 ----a-w- c:\windows\system32\ter1mw32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\termsvces]
2011-07-27 18:31 35840 ----a-w- c:\windows\system32\ter1mw32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\acaptuser32.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DVD Check.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DVD Check.lnk
backup=c:\windows\pss\DVD Check.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpzrcv01.LNK]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpzrcv01.LNK
backup=c:\windows\pss\hpzrcv01.LNKCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^smiller^Start Menu^Programs^Startup^dual monitor, master left.lnk]
path=c:\documents and settings\smiller\Start Menu\Programs\Startup\dual monitor, master left.lnk
backup=c:\windows\pss\dual monitor, master left.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-06-12 02:43 640376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2010-08-21 10:16 390712 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2008-06-12 06:25 37232 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 04:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-06-08 04:02 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
2008-04-14 10:42 110592 ----a-w- c:\windows\system32\bthprops.cpl
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrStsWnd]
2008-12-08 13:36 1086776 ------w- c:\program files\Brownie\BrStsWnd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Client Access Check Version]
1999-10-12 09:50 47888 ----a-w- c:\program files\IBM\Client Access\cwbckver.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Client Access Help Update]
1999-10-12 09:50 15632 ----a-w- c:\program files\IBM\Client Access\cwbinhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Client Access Service]
1999-10-12 09:50 6928 ----a-w- c:\program files\IBM\Client Access\cwbsvstr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
2007-09-20 17:58 61440 ----a-w- c:\program files\Hewlett-Packard\Default Settings\Cpqset.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 10:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-08-26 12:43 136176 ----atw- c:\documents and settings\smiller\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 15:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-09-24 12:27 166424 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-09-24 17:27 141848 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 13:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2007-04-19 21:26 484904 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCW Startup]
2002-12-20 22:06 321024 ----a-w- c:\program files\Monitor Calibration Wizard\MCW.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSC]
2011-06-15 19:16 997920 ----a-w- c:\program files\Microsoft Security Client\msseces.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsmqIntCert]
2008-04-14 10:41 177152 ----a-w- c:\windows\system32\mqrt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 10:42 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2004-08-04 13:00 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 15.0]
2009-10-02 01:32 2596712 ----a-w- c:\program files\Norton Ghost\Agent\VProTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-09-24 12:27 137752 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2004-08-04 13:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2004-08-04 13:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PTHOSTTR]
2007-01-09 23:52 145184 ----a-w- c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
2007-11-07 00:34 177456 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SAOB Monitor]
2010-08-20 13:18 2536752 ----a-w- c:\program files\Acronis\OnlineBackupStandalone\TrueImageMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
2006-07-13 16:12 729088 ----a-w- c:\program files\Analog Devices\SoundMAX\SMax4.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2007-01-05 17:36 872448 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spark]
2007-11-14 17:52 434176 ----a-w- c:\program files\Spark\Spark.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-01-07 17:12 253672 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2008-03-28 05:28 1040384 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2010-08-21 10:15 5459136 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UltraMon]
2006-10-13 02:27 304640 ----a-w- c:\program files\UltraMon\UltraMon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"Tomcat"=2 (0x2)
"tgsrvc_smartagent"=2 (0x2)
"TeamViewer6"=2 (0x2)
"TeamViewer5"=2 (0x2)
"SymSnapService"=3 (0x3)
"sprtsvc_smartagent"=2 (0x2)
"SolidWorks Licensing Service"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Norton Ghost"=2 (0x2)
"MsMpSvc"=2 (0x2)
"mozybackup"=2 (0x2)
"MotoHelper"=2 (0x2)
"Microsoft Office Groove Audit Service"=3 (0x3)
"LiveUpdate"=3 (0x3)
"LightScribeService"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"IviRegMgr"=2 (0x2)
"ImapiService"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"hpqwmiex"=2 (0x2)
"HP ProCurve Network Manager Server"=2 (0x2)
"HP ProCurve Network Manager Agent"=2 (0x2)
"HP ProCurve Datastore"=2 (0x2)
"gusvc"=3 (0x3)
"GenericMount Helper Service"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"CVPND"=2 (0x2)
"btwdins"=2 (0x2)
"BRA_Scheduler"=2 (0x2)
"AgereModemAudio"=2 (0x2)
"afcdpsrv"=2 (0x2)
"AcrSch2Svc"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\ADP\\webSuite View\\Client 4.5.193.0\\SW9C.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Foxit Software\\PDF Editor\\PDFEdit.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\ADP\\webSuite View\\Client 4.5.228.0\\SW9C.EXE"=
"c:\\Documents and Settings\\smiller\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Common Files\\supportsoft\\bin\\sprtlisten.exe"=
"c:\\Program Files\\Common Files\\supportsoft\\bin\\ssrc.exe"=
"c:\\Program Files\\smartagent\\agent\\bin\\bcont.exe"=
"c:\\Program Files\\smartagent\\agent\\bin\\bcont_nm.exe"=
"c:\\Program Files\\smartagent\\bin\\sprtcmd.exe"=
"c:\\Program Files\\smartagent\\bin\\sprtsvc.exe"=
"c:\\Program Files\\smartagent\\bin\\tgshell.exe"=
"c:\\Program Files\\smartagent\\bin\\tgsrvc.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"17678:TCP"= 17678:TCP:BitComet 17678 TCP
"17678:UDP"= 17678:UDP:BitComet 17678 UDP
.
R0 tdrpman273;Acronis Try&Decide and Restore Points filter (build 273);c:\windows\system32\drivers\tdrpm273.sys [7/26/2011 1:55 PM 752128]
R2 io.sys;IO.DLL Driver;c:\windows\system32\drivers\io.sys [9/23/2008 1:10 PM 5152]
R2 TermServices;Remote Desktop Service;c:\windows\System32\svchost.exe -k termsvc [8/4/2004 4:00 AM 14336]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [9/24/2006 10:22 PM 11776]
R3 GenericMount;Generic Mount Driver;c:\windows\system32\drivers\GenericMount.sys [9/21/2009 8:26 PM 46192]
R3 motandroidusb;Mot ADB Interface Driver;c:\windows\system32\drivers\motoandroid.sys [5/4/2011 11:40 AM 25856]
R3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\UltraMonMirror.sys [9/24/2006 10:23 PM 3584]
S1 MpKsl5b737f77;MpKsl5b737f77;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EE10864B-6FA8-4A45-8ED0-B655CA27082C}\MpKsl5b737f77.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EE10864B-6FA8-4A45-8ED0-B655CA27082C}\MpKsl5b737f77.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [7/26/2011 1:56 PM 163232]
S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\DRIVERS\motfilt.sys --> c:\windows\system32\DRIVERS\motfilt.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys --> c:\windows\system32\DRIVERS\motccgp.sys [?]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys --> c:\windows\system32\DRIVERS\motccgpfl.sys [?]
S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\DRIVERS\Motousbnet.sys --> c:\windows\system32\DRIVERS\Motousbnet.sys [?]
S3 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [8/4/2004 4:00 AM 5120]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
S4 afcdpsrv;Acronis Nonstop Backup service;c:\program files\Common Files\Acronis\CDP\afcdpsrv.exe [7/26/2011 1:56 PM 3975088]
S4 BRA_Scheduler;Brother BRAdminPro Scheduler;c:\program files\Brother\BRAdmin Professional 3\bratimer.exe [11/3/2010 9:02 AM 65536]
S4 GenericMount Helper Service;GenericMount Helper Service;c:\program files\Norton Ghost\Shared\Drivers\GenericMountHelper.exe [9/21/2009 8:25 PM 1571336]
S4 HP ProCurve Datastore;HP ProCurve Datastore;c:\program files\Hewlett-Packard\PNM\server\mysql\bin\mysqld-nt.exe [2/23/2011 1:43 PM 5767168]
S4 HP ProCurve Network Manager Agent;HP ProCurve Network Manager Agent;c:\program files\Hewlett-Packard\PNM\pcm-agent\wrapper.exe [2/23/2011 1:39 PM 217088]
S4 HP ProCurve Network Manager Server;HP ProCurve Network Manager Server;c:\program files\Hewlett-Packard\PNM\server\Wrapper.exe [2/23/2011 1:42 PM 217088]
S4 MotoHelper;MotoHelper Service;c:\program files\Motorola\MotoHelper\MotoHelperService.exe [12/2/2010 3:45 PM 218432]
S4 SymSnapService;SymSnapService;c:\program files\Norton Ghost\Shared\Drivers\SymSnapService.exe [9/21/2009 8:19 PM 1964528]
S4 TeamViewer5;TeamViewer 5;c:\program files\TeamViewer\Version5\TeamViewer_Service.exe [1/12/2010 10:57 AM 185640]
S4 TeamViewer6;TeamViewer 6;c:\program files\TeamViewer\Version6\TeamViewer_Service.exe [12/7/2010 6:32 AM 2228008]
S4 Tomcat;HP ProCurve Http Server;c:\program files\Hewlett-Packard\PNM\server\Wrapper.exe [2/23/2011 1:42 PM 217088]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WUAUSERV
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
termsvc REG_MULTI_SZ TermServices
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-04-19 21:23 452136 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1802894745-1664240815-108318403-1005Core.job
- c:\documents and settings\smiller\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-26 12:43]
.
2011-07-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1802894745-1664240815-108318403-1005UA.job
- c:\documents and settings\smiller\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-26 12:43]
.
2011-06-29 c:\windows\Tasks\MotoHelper MUM.job
- c:\program files\Motorola\MotoHelper\MotoHelperUpdate.exe [2010-12-02 19:45]
.
2011-07-25 c:\windows\Tasks\MotoHelper Routing.job
- c:\program files\Motorola\MotoHelper\MotoHelperUpdate.exe [2010-12-02 19:45]
.
2011-06-29 c:\windows\Tasks\MotoHelper Update.job
- c:\program files\Motorola\MotoHelper\MotoHelperUpdate.exe [2010-12-02 19:45]
.
2011-07-27 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 19:39]
.
2011-07-27 c:\windows\Tasks\User_Feed_Synchronization-{B46510EA-335F-460D-9DD5-E8A3D10A0578}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = https://portal.dealersuite.com/josso/signon/login.do?josso_back_to=/members/index.jsp
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=smb&pf=laptop
uInternet Settings,ProxyOverride = <local>;192.168.*.*
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: adp.com\*.ds
Trusted Zone: adpremotesupport.com
Trusted Zone: autopartners.net\www
Trusted Zone: cobaltgroup.com\toolsw3.prod
Trusted Zone: dealersuite.com\portal
Trusted Zone: gmglobalconnect.com\www
Trusted Zone: vinmanager.com\apps
TCP: DhcpNameServer = 192.110.112.95 192.224.49.125
TCP: Interfaces\{3E1CA526-FADD-48B6-952D-DA2ED7F297FD}: NameServer = 4.2.2.2
TCP: Interfaces\{51E58E3D-58D5-4833-B9DD-08322C3F6447}: NameServer = 8.8.8.8
DPF: CM_AdvancedCAB - hxxps://www.gs.reyrey.com/common/ClientCheck/CM_AdvancedCAB.CAB
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
DPF: {00906302-0F14-442C-B39C-275F61BC25BC} - hxxp://192.110.112.1/apps/autoTools/sda/common/atSdaCfg.CAB
DPF: {01118F00-3E00-11D2-8470-0060089874ED} - hxxp://dsra1he.ds.adp.com/sdccommon/download/ssrc.cab
DPF: {01119400-3E00-11D2-8470-0060089874ED} - hxxp://dsra1he.ds.adp.com/sdccommon/download/sprtctlln.cab
DPF: {037790A6-1576-11D6-903D-00105AABADD3} - hxxp://192.110.112.1/apps/bluezone/controls/sglw2hcm.ocx
DPF: {0D221D00-A6ED-477C-8A91-41F3B660A832} - hxxps://apps.vinmanager.com/CarDashboard/Reserved.ReportViewerWebControl.axd?Mode=true&ReportID=e6f94e5ef5da422b91d4970147f33135&ControlID=9b8b88523d0949a5b272d0f223cf4155&Culture=1033&UICulture=1033&ReportStack=1&OpType=PrintCab
DPF: {4E8AEBE0-31A6-43B0-A429-748DB14A70A0} - hxxp://192.110.112.1/apps/common/includes/PC-CONFIG-CHECK.CAB
DPF: {6464CEE5-3D4A-483B-A816-9287286C77DB} - hxxp://192.110.112.1/apps/common/includes/NETX.CAB
DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} - file://porterserv01/VPHOME/CLT-INST/WEBINST/webinst.cab
FF - ProfilePath - c:\documents and settings\smiller\Application Data\Mozilla\Firefox\Profiles\p5rbq3xt.default\
FF - prefs.js: keyword.URL - hxxp://finderquery.com/?clid=9569e869410443e8b55c25bd0a5df666&prt=whitesmokefqbho&tmp=nemo_results&keywords=
FF - user.js: keyword.URL - hxxp://finderquery.com/?tmp=redir_bho_bing&prt=whitesmokefqbho&keywords=
FF - user.js: keyword.enabled - 1
.
.
------- File Associations -------
.
exefile="c:\documents and settings\NetworkService\Local Settings\Application Data\dsh.exe" -a "%1" %*
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
MSConfigStartUp-Acrobat Assistant 7 - c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
MSConfigStartUp-EaseUs Tray - c:\program files\EASEUS\Todo Backup\bin\TrayNotify.exe
MSConfigStartUp-EaseUs Watch - c:\program files\EASEUS\Todo Backup\bin\EuWatch.exe
MSConfigStartUp-HP Software Update - c:\program files\Hp\HP Software Update\HPWuSchd2.exe
MSConfigStartUp-osCheck - c:\program files\Norton Internet Security\osCheck.exe
MSConfigStartUp-Reminder - c:\windows\Creator\Remind_XP.exe
MSConfigStartUp-ToolBoxFX - c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe
MSConfigStartUp-WatchDog - c:\program files\InterVideo\DVD Check\DVDCheck.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-27 15:46
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.ipsec]
"ImagePath"="\*"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSSdk23]
"ImagePath"="\??\c:\windows\system32\Drivers\PsSdk23.drv"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"="a"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1802894745-1664240815-108318403-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1644)
c:\windows\system32\WININET.dll
c:\windows\system32\ter1mw32.dll
c:\windows\system32\igfxdev.dll
.
- - - - - - - > 'lsass.exe'(1704)
c:\windows\system32\WININET.dll
.
Completion time: 2011-07-27 15:53:26
ComboFix-quarantined-files.txt 2011-07-27 19:53
.
Pre-Run: 163,269,046,272 bytes free
Post-Run: 164,291,985,408 bytes free
.
- - End Of File - - 6391AD3E4EC9B5AC409AA5B0FB9999A6

Edited by ghen, 01 August 2011 - 07:20 AM.


#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:03 PM

Posted 01 August 2011 - 07:28 AM

Hi,

Did you run the FixTDSS? Was anything reported as found?


Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic411896.html/page__view__findpost__p__2355009

DirLook::
c:\windows\system32\%APPDATA%

Collect::
c:\windows\system32\termlw32.dll
c:\windows\system32\ter1mw32.dll
c:\program files\WhiteSmoke_Bar\prxtbWhit.dll



Folder::
c:\documents and settings\NetworkService\Local Settings\Application Data\WhiteSmoke_Bar
c:\program files\WhiteSmoke_Bar
c:\program files\Shop to Win 3
c:\program files\Shop To Win
c:\program files\FinderQuery Addon
c:\program files\IspAssistant Addon

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{167d9323-f7cc-48f5-948a-6f012831a69f}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9F56A04A-4886-48F7-B8B2-376F30FC27DF}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6DA1E850-9F71-4B3C-81A4-D9EEEF6FCD50}"=-
"{ADC66251-6410-4a15-9499-7D73C6994B25}"=-
"{167d9323-f7cc-48f5-948a-6f012831a69f}"=-
[-HKEY_CLASSES_ROOT\clsid\{6da1e850-9f71-4b3c-81a4-d9eeef6fcd50}]
[-HKEY_CLASSES_ROOT\clsid\{adc66251-6410-4a15-9499-7d73c6994b25}]
[-HKEY_CLASSES_ROOT\clsid\{167d9323-f7cc-48f5-948a-6f012831a69f}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ter1mw32]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\termsvces]

FireFox::
FF - ProfilePath - c:\documents and settings\smiller\Application Data\Mozilla\Firefox\Profiles\p5rbq3xt.default\
FF - prefs.js: keyword.URL - hxxp://finderquery.com/?clid=9569e869410443e8b55c25bd0a5df666&prt=whitesmokefqbho&tmp=nemo_results&keywords=
FF - user.js: keyword.URL - hxxp://finderquery.com/?tmp=redir_bho_bing&prt=whitesmokefqbho&keywords=

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 ghen

ghen
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 01 August 2011 - 10:07 AM

Fix TDSS results:
It found an infected MBR. I hit repair. It stated the repair succeeded.

Microsoft Security Essentials now states that it is turned off. I hit Turn On. It was unable to do so. (error 0x800705b4)

Combofix results:

Combofix updated it's software before starting. After combofix ran and rebooted the computer Microsoft Security Essentials now seems to work properly.

------------------------
ComboFix 11-07-31.04 - jcopeland 08/01/2011 10:42:11.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1132 [GMT -4:00]
Running from: c:\documents and settings\smiller\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\smiller\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
file zipped: c:\windows\system32\ter1mw32.dll
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\NetworkService\Local Settings\Application Data\WhiteSmoke_Bar
c:\documents and settings\NetworkService\Local Settings\Application Data\WhiteSmoke_Bar\ldrtbWhit.dll
c:\documents and settings\NetworkService\Local Settings\Application Data\WhiteSmoke_Bar\tbWhit.dll
c:\documents and settings\NetworkService\Local Settings\Application Data\WhiteSmoke_Bar\toolbar.cfg
c:\program files\Shop to Win 3
c:\program files\Shop to Win 3\%APPDATA%\FCSB000062037\Toolbar\patch.bat
c:\program files\Shop to Win 3\%APPDATA%\FCSB000062037\Toolbar\settings.xml
c:\program files\Shop to Win 3\%APPDATA%\FCSB000062037\Toolbar\Shop to Win 3.dll
c:\program files\Shop to Win 3\%APPDATA%\FCSB000062037\Toolbar\ShoppingBHO.dll
c:\program files\Shop to Win 3\%APPDATA%\FCSB000062037\Toolbar\ShopToWin.ico
c:\program files\Shop to Win 3\%APPDATA%\FCSB000062037\Toolbar\Uninst.exe
c:\program files\Shop to Win 3\%APPDATA%\FCSB000062037\Toolbar\version.txt
c:\windows\system32\ter1mw32.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-07-01 to 2011-08-01 )))))))))))))))))))))))))))))))
.
.
2011-08-01 14:52 . 2011-08-01 14:52 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{11790EB5-3821-4A15-B45E-67412C089019}\MpKsl6bb46cba.sys
2011-08-01 12:24 . 2011-07-13 03:39 6881616 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{11790EB5-3821-4A15-B45E-67412C089019}\mpengine.dll
2011-07-28 13:36 . 2001-08-17 18:56 111232 ----a-w- c:\windows\system32\dllcache\cl5465.dll
2011-07-28 13:35 . 2001-08-18 02:36 15360 ----a-w- c:\windows\system32\dllcache\brmfbidi.dll
2011-07-28 13:34 . 2001-08-18 02:36 61440 ----a-w- c:\windows\system32\dllcache\acerscad.dll
2011-07-27 20:46 . 2011-07-27 20:46 -------- d-----w- c:\program files\Mozilla Firefoxxx
2011-07-27 20:17 . 2011-07-27 20:17 -------- d-----w- c:\documents and settings\smiller\Local Settings\Application Data\Conduit
2011-07-27 18:33 . 2011-07-27 18:33 -------- d-----w- c:\windows\system32\%APPDATA%
2011-07-27 18:32 . 2011-07-27 20:17 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Conduit
2011-07-27 18:32 . 2011-07-27 18:32 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2011-07-27 16:09 . 2011-07-27 16:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-07-27 14:30 . 2011-07-27 14:30 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-07-27 13:18 . 2011-07-27 19:04 -------- d-----w- C:\BOOT
2011-07-27 13:17 . 2011-04-22 22:26 187528 ----a-w- c:\windows\system32\drivers\eudisk.sys
2011-07-27 13:17 . 2011-04-22 22:26 20744 ----a-w- c:\windows\system32\drivers\eufs.sys
2011-07-27 13:17 . 2011-04-22 22:26 14216 ----a-w- c:\windows\system32\drivers\eudskacs.sys
2011-07-27 13:17 . 2011-04-22 22:26 30600 ----a-w- c:\windows\system32\drivers\eubakup.sys
2011-07-27 13:17 . 2011-04-22 22:26 35720 ----a-w- c:\windows\system32\drivers\EUBKMON.sys
2011-07-27 13:07 . 2011-07-27 13:17 -------- d-----w- c:\program files\EASEUS
2011-07-26 17:55 . 2011-07-26 17:55 752128 ----a-w- c:\windows\system32\drivers\tdrpm273.sys
2011-07-26 17:55 . 2011-07-26 17:55 600928 ----a-w- c:\windows\system32\drivers\timntr.sys
2011-07-26 17:17 . 2011-07-26 17:45 -------- d-----w- c:\program files\Runtime Software
2011-07-14 20:09 . 2011-07-14 20:11 -------- d-----w- c:\documents and settings\smiller\Application Data\vlc
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-13 03:39 . 2010-04-14 12:27 6881616 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-07-06 23:52 . 2008-11-14 16:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-06 23:52 . 2008-11-14 16:20 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-21 15:02 . 2011-06-06 12:43 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-07 15:55 . 2011-07-01 14:52 7074640 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Updates\mpengine.dll
2011-06-03 17:55 . 2011-06-03 17:55 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-06-03 17:55 . 2011-06-03 17:55 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-06-02 14:02 . 2004-08-04 08:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 15:50 . 2011-02-22 15:50 289592 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\windows\system32\%APPDATA% ----
.
2011-07-27 18:33 . 2011-07-27 18:32 59116 ----a-w- c:\windows\system32\%APPDATA%\FCSB000062037\Toolbar\%APPDATA%\FCSB000062037\Toolbar\Uninst.exe
2011-07-27 18:33 . 2011-07-27 18:32 50 ----a-w- c:\windows\system32\%APPDATA%\FCSB000062037\Toolbar\%APPDATA%\FCSB000062037\Toolbar\version.txt
2011-07-27 18:33 . 2010-04-27 16:08 6862 ----a-w- c:\windows\system32\%APPDATA%\FCSB000062037\Toolbar\%APPDATA%\FCSB000062037\Toolbar\ShopToWin.ico
2011-07-27 18:33 . 2011-07-27 18:32 687104 ----a-w- c:\windows\system32\%APPDATA%\FCSB000062037\Toolbar\%APPDATA%\FCSB000062037\Toolbar\ShoppingBHO.dll
2011-07-27 18:33 . 2010-12-29 18:20 14432 ----a-w- c:\windows\system32\%APPDATA%\FCSB000062037\Toolbar\%APPDATA%\FCSB000062037\Toolbar\Shop to Win 3.dll
2011-07-27 18:33 . 2011-04-20 18:15 1936 ----a-w- c:\windows\system32\%APPDATA%\FCSB000062037\Toolbar\%APPDATA%\FCSB000062037\Toolbar\settings.xml
2011-07-27 18:33 . 2011-04-20 18:15 713 ----a-w- c:\windows\system32\%APPDATA%\FCSB000062037\Toolbar\%APPDATA%\FCSB000062037\Toolbar\patch.bat
2011-07-27 18:33 . 2011-07-27 18:32 59116 ----a-w- c:\windows\system32\%APPDATA%\FCSB000062037\Toolbar\Uninst.exe
2011-07-27 18:33 . 2011-07-27 18:32 50 ----a-w- c:\windows\system32\%APPDATA%\FCSB000062037\Toolbar\version.txt
2011-07-27 18:33 . 2010-04-27 16:08 6862 ----a-w- c:\windows\system32\%APPDATA%\FCSB000062037\Toolbar\ShopToWin.ico
2011-07-27 18:33 . 2011-04-20 18:15 1936 ----a-w- c:\windows\system32\%APPDATA%\FCSB000062037\Toolbar\settings.xml
2011-07-27 18:33 . 2010-12-29 18:20 14432 ----a-w- c:\windows\system32\%APPDATA%\FCSB000062037\Toolbar\Shop to Win 3.dll
2011-07-27 18:33 . 2011-07-27 18:32 687104 ----a-w- c:\windows\system32\%APPDATA%\FCSB000062037\Toolbar\ShoppingBHO.dll
2011-07-27 18:33 . 2011-04-20 18:15 713 ----a-w- c:\windows\system32\%APPDATA%\FCSB000062037\Toolbar\patch.bat
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spark"="c:\program files\Spark\Spark.exe" [2007-11-14 434176]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UltraMon"="c:\program files\UltraMon\UltraMon.exe" [2006-10-13 304640]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1040384]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-24 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-24 166424]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
c:\documents and settings\smiller\Start Menu\Programs\Startup\
dual monitor, master left.lnk - c:\documents and settings\smiller\Application Data\Realtime Soft\UltraMon\Profiles\dual monitor, master left.umprofile [2010-3-26 469]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 01000000
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\acaptuser32.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DVD Check.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DVD Check.lnk
backup=c:\windows\pss\DVD Check.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpzrcv01.LNK]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpzrcv01.LNK
backup=c:\windows\pss\hpzrcv01.LNKCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-06-12 02:43 640376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2008-06-12 06:25 37232 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 04:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-06-08 04:02 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
2008-04-14 10:42 110592 ----a-w- c:\windows\system32\bthprops.cpl
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Client Access Check Version]
1999-10-12 09:50 47888 ----a-w- c:\program files\IBM\Client Access\cwbckver.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Client Access Help Update]
1999-10-12 09:50 15632 ----a-w- c:\program files\IBM\Client Access\cwbinhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Client Access Service]
1999-10-12 09:50 6928 ----a-w- c:\program files\IBM\Client Access\cwbsvstr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
2007-09-20 17:58 61440 ----a-w- c:\program files\Hewlett-Packard\Default Settings\Cpqset.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 10:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-08-26 12:43 136176 ----atw- c:\documents and settings\smiller\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 15:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 13:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2007-04-19 21:26 484904 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsmqIntCert]
2008-04-14 10:41 177152 ----a-w- c:\windows\system32\mqrt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 10:42 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2004-08-04 13:00 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-09-24 12:27 137752 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2004-08-04 13:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2004-08-04 13:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PTHOSTTR]
2007-01-09 23:52 145184 ----a-w- c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
2007-11-07 00:34 177456 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-01-07 17:12 253672 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"Tomcat"=2 (0x2)
"TeamViewer5"=2 (0x2)
"SymSnapService"=3 (0x3)
"sprtsvc_smartagent"=2 (0x2)
"SolidWorks Licensing Service"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Norton Ghost"=2 (0x2)
"mozybackup"=2 (0x2)
"Microsoft Office Groove Audit Service"=3 (0x3)
"LiveUpdate"=3 (0x3)
"LightScribeService"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"ImapiService"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"HP ProCurve Network Manager Server"=2 (0x2)
"HP ProCurve Network Manager Agent"=2 (0x2)
"HP ProCurve Datastore"=2 (0x2)
"gusvc"=3 (0x3)
"GenericMount Helper Service"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"btwdins"=2 (0x2)
"BRA_Scheduler"=2 (0x2)
"AgereModemAudio"=2 (0x2)
"afcdpsrv"=2 (0x2)
"AcrSch2Svc"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\ADP\\webSuite View\\Client 4.5.193.0\\SW9C.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Foxit Software\\PDF Editor\\PDFEdit.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\ADP\\webSuite View\\Client 4.5.228.0\\SW9C.EXE"=
"c:\\Program Files\\Common Files\\supportsoft\\bin\\sprtlisten.exe"=
"c:\\Program Files\\Common Files\\supportsoft\\bin\\ssrc.exe"=
"c:\\Program Files\\smartagent\\agent\\bin\\bcont.exe"=
"c:\\Program Files\\smartagent\\agent\\bin\\bcont_nm.exe"=
"c:\\Program Files\\smartagent\\bin\\sprtcmd.exe"=
"c:\\Program Files\\smartagent\\bin\\sprtsvc.exe"=
"c:\\Program Files\\smartagent\\bin\\tgshell.exe"=
"c:\\Program Files\\smartagent\\bin\\tgsrvc.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"17678:TCP"= 17678:TCP:BitComet 17678 TCP
"17678:UDP"= 17678:UDP:BitComet 17678 UDP
.
R1 MpKsl6bb46cba;MpKsl6bb46cba;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{11790EB5-3821-4A15-B45E-67412C089019}\MpKsl6bb46cba.sys [8/1/2011 10:52 AM 28752]
R2 io.sys;IO.DLL Driver;c:\windows\system32\drivers\io.sys [9/23/2008 1:10 PM 5152]
R2 MotoHelper;MotoHelper Service;c:\program files\Motorola\MotoHelper\MotoHelperService.exe [12/2/2010 3:45 PM 218432]
R2 TeamViewer6;TeamViewer 6;c:\program files\TeamViewer\Version6\TeamViewer_Service.exe [12/7/2010 6:32 AM 2228008]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [9/24/2006 10:22 PM 11776]
R3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\UltraMonMirror.sys [9/24/2006 10:23 PM 3584]
S1 MpKsl5b737f77;MpKsl5b737f77;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EE10864B-6FA8-4A45-8ED0-B655CA27082C}\MpKsl5b737f77.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EE10864B-6FA8-4A45-8ED0-B655CA27082C}\MpKsl5b737f77.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\DRIVERS\motfilt.sys --> c:\windows\system32\DRIVERS\motfilt.sys [?]
S3 GenericMount;Generic Mount Driver;c:\windows\system32\DRIVERS\GenericMount.sys --> c:\windows\system32\DRIVERS\GenericMount.sys [?]
S3 motandroidusb;Mot ADB Interface Driver;c:\windows\system32\drivers\motoandroid.sys [5/4/2011 11:40 AM 25856]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys --> c:\windows\system32\DRIVERS\motccgp.sys [?]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys --> c:\windows\system32\DRIVERS\motccgpfl.sys [?]
S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\DRIVERS\Motousbnet.sys --> c:\windows\system32\DRIVERS\Motousbnet.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
S4 TeamViewer5;TeamViewer 5;c:\program files\TeamViewer\Version5\TeamViewer_Service.exe [1/12/2010 10:57 AM 185640]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL6BB46CBA
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-04-19 21:23 452136 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1802894745-1664240815-108318403-1005Core.job
- c:\documents and settings\smiller\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-26 12:43]
.
2011-08-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1802894745-1664240815-108318403-1005UA.job
- c:\documents and settings\smiller\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-26 12:43]
.
2011-07-28 c:\windows\Tasks\MotoHelper MUM.job
- c:\program files\Motorola\MotoHelper\MotoHelperUpdate.exe [2010-12-02 19:45]
.
2011-07-28 c:\windows\Tasks\MotoHelper Routing.job
- c:\program files\Motorola\MotoHelper\MotoHelperUpdate.exe [2010-12-02 19:45]
.
2011-07-28 c:\windows\Tasks\MotoHelper Update.job
- c:\program files\Motorola\MotoHelper\MotoHelperUpdate.exe [2010-12-02 19:45]
.
2011-08-01 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 19:39]
.
2011-08-01 c:\windows\Tasks\User_Feed_Synchronization-{B46510EA-335F-460D-9DD5-E8A3D10A0578}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = https://portal.dealersuite.com/josso/signon/login.do?josso_back_to=/members/index.jsp
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=smb&pf=laptop
uInternet Settings,ProxyOverride = <local>;192.168.*.*
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: adp.com\*.ds
Trusted Zone: adpremotesupport.com
Trusted Zone: autopartners.net\www
Trusted Zone: cobaltgroup.com\toolsw3.prod
Trusted Zone: dealersuite.com\portal
Trusted Zone: gmglobalconnect.com\www
Trusted Zone: vinmanager.com\apps
TCP: DhcpNameServer = 192.110.112.95 192.224.49.125
TCP: Interfaces\{3E1CA526-FADD-48B6-952D-DA2ED7F297FD}: NameServer = 4.2.2.2
TCP: Interfaces\{51E58E3D-58D5-4833-B9DD-08322C3F6447}: NameServer = 8.8.8.8
DPF: CM_AdvancedCAB - hxxps://www.gs.reyrey.com/common/ClientCheck/CM_AdvancedCAB.CAB
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
DPF: {00906302-0F14-442C-B39C-275F61BC25BC} - hxxp://192.110.112.1/apps/autoTools/sda/common/atSdaCfg.CAB
DPF: {01118F00-3E00-11D2-8470-0060089874ED} - hxxp://dsra1he.ds.adp.com/sdccommon/download/ssrc.cab
DPF: {01119400-3E00-11D2-8470-0060089874ED} - hxxp://dsra1he.ds.adp.com/sdccommon/download/sprtctlln.cab
DPF: {037790A6-1576-11D6-903D-00105AABADD3} - hxxp://192.110.112.1/apps/bluezone/controls/sglw2hcm.ocx
DPF: {0D221D00-A6ED-477C-8A91-41F3B660A832} - hxxps://apps.vinmanager.com/CarDashboard/Reserved.ReportViewerWebControl.axd?Mode=true&ReportID=e6f94e5ef5da422b91d4970147f33135&ControlID=9b8b88523d0949a5b272d0f223cf4155&Culture=1033&UICulture=1033&ReportStack=1&OpType=PrintCab
DPF: {4E8AEBE0-31A6-43B0-A429-748DB14A70A0} - hxxp://192.110.112.1/apps/common/includes/PC-CONFIG-CHECK.CAB
DPF: {6464CEE5-3D4A-483B-A816-9287286C77DB} - hxxp://192.110.112.1/apps/common/includes/NETX.CAB
DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} - file://porterserv01/VPHOME/CLT-INST/WEBINST/webinst.cab
FF - ProfilePath - c:\documents and settings\smiller\Application Data\Mozilla\Firefox\Profiles\jqwt63vr.default\
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-Acronis Scheduler2 Service - c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
MSConfigStartUp-BrStsWnd - c:\program files\Brownie\BrstsWnd.exe
MSConfigStartUp-MCW Startup - c:\program files\Monitor Calibration Wizard\MCW.exe
MSConfigStartUp-Norton Ghost 15 - c:\program files\Norton Ghost\Agent\VProTray.exe
MSConfigStartUp-SAOB Monitor - c:\program files\Acronis\OnlineBackupStandalone\TrueImageMonitor.exe
MSConfigStartUp-TrueImageMonitor - c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe
AddRemove-uTorrent - c:\program files\uTorrent\uTorrent.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-01 10:54
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.ipsec]
"ImagePath"="\*"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSSdk23]
"ImagePath"="\??\c:\windows\system32\Drivers\PsSdk23.drv"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"="a"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1802894745-1664240815-108318403-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2324)
c:\windows\system32\WININET.dll
c:\program files\UltraMon\RTSUltraMonHook.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\program files\UltraMon\Resources\en\RTSUltraMonHookRes.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\windows\system32\msdtc.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Motorola\MotoHelper\MotoHelperAgent.exe
c:\program files\smartagent\bin\tgsrvc.exe
c:\program files\Hewlett-Packard\Shared\hpqWmiEx.exe
c:\program files\TeamViewer\Version6\TeamViewer.exe
c:\windows\system32\mqsvc.exe
c:\windows\system32\mqtgsvc.exe
c:\program files\TeamViewer\Version6\tv_w32.exe
c:\program files\UltraMon\UltraMonTaskbar.exe
.
**************************************************************************
.
Completion time: 2011-08-01 11:03:59 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-01 15:03
ComboFix2.txt 2011-07-27 19:53
.
Pre-Run: 166,271,643,648 bytes free
Post-Run: 166,350,020,608 bytes free
.
- - End Of File - - 7982790F7FFBCC1FD0374A14F7F4F881
Upload was successful

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:03 PM

Posted 01 August 2011 - 10:44 AM

Hi

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

Folder::
c:\windows\system32\%APPDATA%


Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



NEXT



Visit ADOBEand download the latest version of Acrobat Reader (version X)
Having the latest updates ensures there are no security vulnerabilities in your system.

NEXT

Posted Image Your Java is out of date.
Java™ 6 Update 25 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now.
An update should begin; > follow the prompts.


Clear Java cache

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup) If you do not see the icon, look to your left and click 'Switch to Classic View'.
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.


NEXT


Please advise how the computer is running now and if there are any outstanding issues.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 ghen

ghen
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 01 August 2011 - 11:16 AM

Updating Adobe Reader to version X
Updating Java to version 6.26
Clearing Java Cache

Computer performance:

Everything seems to be working properly.

Forums state my post is too long so I'm attaching the combofix log instead of posting it. There seems to be a lot of additions into the c:\windows\system32\dllcache folder under the "files created" header.

---------------------

Attached Files


Edited by ghen, 01 August 2011 - 11:17 AM.


#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:03 PM

Posted 01 August 2011 - 12:56 PM

Hi

Just some housekeeping to do now,

Please do the following:


You can delete the FixTDSS, DDS and GMER logs and programs from your desktop.


NEXT


Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Click START then RUN
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image


If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.

  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

  • Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean
    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at this well written article:
    PC Safety and Security--What Do I Need?.


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 ghen

ghen
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 02 August 2011 - 07:08 AM

Thank you for your assistance :)

<3

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:03 PM

Posted 02 August 2011 - 05:54 PM

You are welcome

stay safe :hello:

~CB

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:03 PM

Posted 02 August 2011 - 05:54 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users